From 56af0155632a3a962a8bd3e04cc0cd249ab5be54 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 12 Sep 2025 10:13:44 +0900
Subject: [PATCH] Hide credentials in contexts from logs

Do not record the full context values in plain format, because these
may contain sensitive values such as request token. Use the generic
mask feature to detect potentially sensitive fields and replace raw
values by '***'.

Story: 2011523
Task: 52787
Change-Id: Ic997d36ec188b390473437c874085ef9a8c41f2f
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 cloudkitty/common/policy.py                       | 15 ++++++++++-----
 .../hide-token-from-log-e29066d6c93f3ed4.yaml     |  6 ++++++
 2 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml

diff --git a/cloudkitty/common/policy.py b/cloudkitty/common/policy.py
index 3dcd5c5e..af26d574 100644
--- a/cloudkitty/common/policy.py
+++ b/cloudkitty/common/policy.py
@@ -22,6 +22,7 @@ from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_policy import policy
 from oslo_utils import excutils
+from oslo_utils import strutils
 
 from cloudkitty.common import policies
 
@@ -102,8 +103,9 @@ def authorize(context, action, target):
     init()
 
     try:
-        LOG.debug('Authenticating user with credentials %(credentials)s',
-                  {'credentials': context.to_dict()})
+        LOG.debug(
+            'Authenticating user with credentials %(credentials)s',
+            {'credentials': strutils.mask_dict_password(context.to_dict())})
         return _ENFORCER.authorize(action, target, context,
                                    do_raise=True,
                                    exc=PolicyNotAuthorized,
@@ -114,9 +116,12 @@ def authorize(context, action, target):
             LOG.exception('Policy not registered')
     except Exception:
         with excutils.save_and_reraise_exception():
-            LOG.error('Policy check for %(action)s failed with credentials '
-                      '%(credentials)s',
-                      {'action': action, 'credentials': context.to_dict()})
+            LOG.error(
+                'Policy check for %(action)s failed with credentials '
+                '%(credentials)s', {
+                    'action': action,
+                    'credentials': strutils.mask_dict_password(
+                        context.to_dict())})
 
 
 def check_is_admin(context):
diff --git a/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml
new file mode 100644
index 00000000..2e78c723
--- /dev/null
+++ b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Previously, cloudkitty-api recorded request token in plain text format when
+    a request does not comply with policy rules or debug log is enabled. This
+    has been fixed and now token is masked in logs.